In the dog days of last week, a shadowy group of secret sources in U.S. Cyber Command whispered to reporters that they’d disrupted a huge, ransomware-spewing botnet. Trickbot, closely related to Emotet and Ryuk, is believed to be managed by Russian criminals.
But today, Microsoft and friends are saying the disruption was actually down to them—awks. The consortium of industry players has developed a new legal mechanism to remove the botnet’s servers from the net and they say it’s working.
They’re basically using international copyright law to do takedowns, arguing that “malicious use” of Windows and Office is actionable in court. In today’s SB Blogwatch, we DMCA ur C2 and pwn ur zombies.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: om nom … wait, what?
2 Wrongs Don’t Make a Copyright
What’s the craic? Ellen Nakashima reports—“Cyber Command has sought to disrupt the world’s largest botnet”:
In recent weeks, the U.S. military has mounted an operation to temporarily disrupt … the Trickbot botnet, an army of at least 1 million hijacked computers run by Russian-speaking criminals. … The effort is part of what Gen. Paul Nakasone, the head of Cyber Command, calls “persistent engagement,” or the imposition of cumulative costs on an adversary by keeping them constantly engaged.
“Right now, my top priority is for a safe, secure, and legitimate 2020 election,” Nakasone said in August. … Department of Homeland Security Officials fear that a ransomware attack on state or local voter registration offices and related systems could disrupt preparations … or cause confusion or long lines on Election Day. They also note that ransomware is a major threat beyond elections.
On Sept. 22 … researchers who monitor the Trickbot network noticed the disruption of command and control servers. They did not know who was behind the disruption, but saw that someone had hacked the servers and sent out updates to all infected computers — including in the United States — that effectively severed the communication between the victimized computers and the servers. … On Oct. 1, another similar disruption took place.
“At a time when ransomware is eating the world, this is an operation against one of the biggest and most active threat streams,” said one official … who spoke on the condition of anonymity. … “Is this permanent? Of course not.” But any effort to degrade the botnet should be applauded, the official said.
I think I heard about this already. All aboard the Brian Krebs cycle—“Trickbot Tricks”:
A week ago, [I] broke the news that someone was attempting to disrupt the Trickbot botnet. [I] reported that twice in the preceding ten days, an unknown entity that had inside access to the Trickbot botnet sent all infected systems a command telling them to disconnect themselves from the [C2] servers.
Four U.S. officials who spoke on condition of anonymity said the Trickbot disruption was the work of U.S. Cyber Command, a branch of the Department of Defense headed by the director of the National Security Agency (NSA).
Neat. How did it go down? Ionut Ilascu explains—“TrickBot botnet targeted in takedown operations”:
The Trickbot operation started hitting serious snags towards the end of September when enslaved computers received an update that cut them off from the botnet by changing the command and control server address to 127.0.0.1 (localhost). … It is unclear, though, if the above actions were the work of the U.S. Cyber Command.
Microsoft and ESET said that together with cybersecurity and telecommunications companies initiated activities meant to disrupt Trickbot. [ESET] said that the efforts started several months ago and that multiple disruption actions occurred during this period [but that they are] not aware of any connection between their operation and the one carried out by the Cyber Command.
The actors behind Emotet, Trickbot, and Ryuk are professional cybercriminals running operations with a global reach and aiming for big money.
Wait, so it wasn’t Cyber Command at all? Microsoft’s Tom Burt sounds slightly miffed—“New action to combat ransomware”: [emphasis mine]
We disrupted Trickbot through a court order we obtained as well as technical action we executed in partnership with telecommunications providers around the world. We have now cut off key infrastructure so those operating Trickbot will no longer be able to initiate new infections or activate ransomware already dropped.
To execute this action, Microsoft formed an international group of industry and telecommunications providers … including FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT and Symantec. … Our case includes copyright claims against Trickbot’s malicious use of our software code. This approach is an important development in our efforts to stop the spread of malware.
With this civil action, we have leveraged a new legal strategy that allows us to enforce copyright law to prevent … our software code, from being used to commit crime. As copyright law is more common than computer crime law, this new approach helps us pursue bad actors in more jurisdictions around the world.
Why so cynical about government action? nimbius explains:
Cyber Command is predicated on the idea that the most talented [recruits] will come from the government’s own military recruitment efforts, which have either stagnated or failed to meet even basic targets. … Most will leave for … modern living wage opportunities in the private sector that operate at a less glacial pace.
The brain drain will culminate in the same laughably inept government efforts that to this day plague even rote agencies like the IRS and department of state. Cavalcades of wide-assed middle-aged cubicle swine having spent a decade or more being beated into submission by arcane bureaucratic edicts will supplicate their long chains of equally wide-assed leadership … until it is sunset by the next leadership bureaucrat to take the form of a department head.
And Phil can’t help but agree:
[It’s] clear that the disruption was nothing more than a shakedown. For that to avoid having been for nothing, there needs to be a follow up that goes well beyond. … The disruption might have been only for the coming election, which makes it sound like the US Cyber Command will forget to finish.
Troubling that news has broken well before the operation ought to have concluded. Now the crooks will be regrouping and weeding out the weaker points of their operations.
But Look Ahead WA is encouraged:
Wow, this is encouraging. Wouldn’t it be cool if the US government took more persistent action to protect individuals and the private sector from foreign hackers stealing and destroying lives and businesses? It seems to most of us that this has simply been accepted as a fact of life, like deaths and taxes.
Ironically, Troglodytes troglodytes indigenus actually blames Microsoft for the botnet’s spread:
But it isn’t really news that a Government couldn’t find its *** with both hands tied behind its back. [We block connections] from IPs/ASNs in a GeoIP-based blocklist and those with a high weighted DNSBL score. Our DNSBL scoring system uses a dozen or more DNSBLs (like the excellent Spamhaus) to produce a score ranging from 0 up to a usual maximum at the moment of about 15. … It’s very effective.
Lately there’s been quite a lot from Microsoft’s AS8075 (protection.outlook.com addresses) which historically has been unusual (about a thousand in the year to 1st September, well over a thousand in the past month alone) and I think it shows that if we’re talking about Emotet, Microsoft systems are the main problem.
Meanwhile, this slightly sarcastic Anonymous Coward loves an unfair stereotype:
”Russian-speaking cybercriminals”? … Now that should narrow down the list to about a dozen suspects.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or email@example.com. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: U.S. Army